ADB security logging
Log adb shell, pull and push operations to the security log.
Bug: 22860162
Change-Id: I5d24e9d51040ae05a41d9fcb079e84351a217bd3
diff --git a/adb/file_sync_service.cpp b/adb/file_sync_service.cpp
index 781968b..ef0418e 100644
--- a/adb/file_sync_service.cpp
+++ b/adb/file_sync_service.cpp
@@ -21,6 +21,7 @@
#include <dirent.h>
#include <errno.h>
+#include <log/log.h>
#include <selinux/android.h>
#include <stdio.h>
#include <stdlib.h>
@@ -34,6 +35,7 @@
#include "adb_io.h"
#include "adb_utils.h"
#include "private/android_filesystem_config.h"
+#include "security_log_tags.h"
#include <android-base/stringprintf.h>
#include <android-base/strings.h>
@@ -146,6 +148,8 @@
syncmsg msg;
unsigned int timestamp = 0;
+ __android_log_security_bswrite(SEC_TAG_ADB_SEND_FILE, path);
+
int fd = adb_open_mode(path, O_WRONLY | O_CREAT | O_EXCL | O_CLOEXEC, mode);
if (fd < 0 && errno == ENOENT) {
if (!secure_mkdirs(adb_dirname(path))) {
@@ -314,6 +318,8 @@
}
static bool do_recv(int s, const char* path, std::vector<char>& buffer) {
+ __android_log_security_bswrite(SEC_TAG_ADB_RECV_FILE, path);
+
int fd = adb_open(path, O_RDONLY | O_CLOEXEC);
if (fd < 0) {
SendSyncFailErrno(s, "open failed");
diff --git a/adb/security_log_tags.h b/adb/security_log_tags.h
new file mode 100644
index 0000000..1d02744
--- /dev/null
+++ b/adb/security_log_tags.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __SECURITY_LOG_TAGS_H
+#define __SECURITY_LOG_TAGS_H
+
+/* TODO: Automatically generate this file from the logtags file when build
+ * infrastructure is in place.
+ * Defined in frameworks/base/core/java/android/auditing/SecurityLog.logtags
+ */
+#define SEC_TAG_ADB_SHELL_INTERACTIVE 210001
+#define SEC_TAG_ADB_SHELL_CMD 210002
+#define SEC_TAG_ADB_RECV_FILE 210003
+#define SEC_TAG_ADB_SEND_FILE 210004
+
+#endif
diff --git a/adb/shell_service.cpp b/adb/shell_service.cpp
index e092dc4..c3b9044 100644
--- a/adb/shell_service.cpp
+++ b/adb/shell_service.cpp
@@ -95,11 +95,13 @@
#include <android-base/logging.h>
#include <android-base/stringprintf.h>
#include <paths.h>
+#include <log/log.h>
#include "adb.h"
#include "adb_io.h"
#include "adb_trace.h"
#include "adb_utils.h"
+#include "security_log_tags.h"
namespace {
@@ -240,6 +242,12 @@
ScopedFd parent_error_sfd, child_error_sfd;
char pts_name[PATH_MAX];
+ if (command_.empty()) {
+ __android_log_security_bswrite(SEC_TAG_ADB_SHELL_INTERACTIVE, "");
+ } else {
+ __android_log_security_bswrite(SEC_TAG_ADB_SHELL_CMD, command_.c_str());
+ }
+
// Create a socketpair for the fork() child to report any errors back to the parent. Since we
// use threads, logging directly from the child might deadlock due to locks held in another
// thread during the fork.